All Apps and Add-ons

Splunk CIM index contraints

Explorer

In a distributed environment why does the splunk cim setup screen only see the indexes defined on the local search head, not all indexes that exist across the deployment? All other functions work as expected, though i'd like to lower search I/O by using the constrain index configuration of the CIM.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

CIM Setup and type ahead work off the local indexes.conf

Even though the SH does not index data, it is very important to have a "complete" indexes.conf on your SH for the two reasons I listed above.

I would recommend that you have an indexes.conf app to push to all search heads from your deployer and/or deployement server.

At present Splunk Distributed search cannot see what is on the "peers" for indexes ,and thus the need for a local indexes.conf that is all inclusive of what you have on the peers.

If you don't want to do this, you can modify the macros by hand for CIM rather than using the CIM Setup.

You can go to settings / Data Models / here you can click on each data model and see in the constraint which macro the DM is using, and then you can modify that under

Settings/Advanced Search/Macros

View solution in original post

Splunk Employee
Splunk Employee

CIM Setup and type ahead work off the local indexes.conf

Even though the SH does not index data, it is very important to have a "complete" indexes.conf on your SH for the two reasons I listed above.

I would recommend that you have an indexes.conf app to push to all search heads from your deployer and/or deployement server.

At present Splunk Distributed search cannot see what is on the "peers" for indexes ,and thus the need for a local indexes.conf that is all inclusive of what you have on the peers.

If you don't want to do this, you can modify the macros by hand for CIM rather than using the CIM Setup.

You can go to settings / Data Models / here you can click on each data model and see in the constraint which macro the DM is using, and then you can modify that under

Settings/Advanced Search/Macros

View solution in original post

Explorer

Is there any potential that this functionality will eventually be moved into the code instead of having the one off app that needs to be managed?

0 Karma

Splunk Employee
Splunk Employee

You can manage the filters from within ES

Configure / CIM Setup

The CIM App can be used both with or without ES. So my guess to your question is no.

0 Karma

Super Champion

I wouldn't do directly via UI. But would do it in the staging Server -> then push it to deployer -> then to search head cluster
This way all your environments can get the same package

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!